Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Chef Summit London: InSpec Keynote

Chef Summit London: InSpec Keynote

Christoph Hartmann

October 16, 2018
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. View Slide

  2. Christoph Hartmann
    Alex Pop
    Co-Creator InSpec, Engineering Director
    Twitter: @chri_hartmann
    Github: chris-rock
    Software Engineer
    Twitter: @al3xpop
    Github: alexpop

    View Slide

  3. InSpec Updates
    Alex Pop & Christoph Hartmann

    View Slide

  4. Agenda
    ● InSpec Overview
    ● Project Community Update
    ● Demo 1: Profile and Control Improvements
    ● Demo 2: Extensions and Integrations
    ● InSpec Outlook
    ● Q & A

    View Slide

  5. InSpec Overview
    ● Show of hands
    ● Open-source framework with:
    ○ a simple language to describe tests
    ○ local & remote execution engine
    ○ flexible reporting
    ● Used primarily for infrastructure and compliance testing

    View Slide

  6. Audience
    DevOps Security
    Compliance

    View Slide

  7. DevOps

    View Slide

  8. Security
    Heartbleed Shellshock WannaCry

    View Slide

  9. Mapping of Compliance Document to InSpec

    View Slide

  10. InSpec Achievements

    View Slide

  11. View Slide

  12. InSpec Timeline
    Initial Version
    April 9th, 2015 November 3th 2015
    InSpec
    0.9
    September 26th 2016
    InSpec
    1.0
    February 20th 2018
    InSpec
    2.0

    View Slide

  13. Project Health
    207 Contributors 36 days issue
    resolution time
    626 total releases
    (one per week)

    View Slide

  14. Project Health (Commits per Week)

    View Slide

  15. Project Health (Stargazers)

    View Slide

  16. Operating System Support
    Amazon Linux CentOS HP UX
    IBM AIX RHEL SLES Ubuntu Windows
    Debian
    Cisco IOS

    View Slide

  17. Cloud Platform Support
    ● Integrated in Azure Shell, Part of Azure Policy's Guest Configuration
    ● Integrated into AWS EC2 Run Command
    ● InSpec integrates with PowerClI

    View Slide

  18. Platform Resources are managed in Resource Packs
    Profile 1 Profile 2
    Resource Pack
    ● Resource improvements are managed
    independently from InSpec’s runtime
    ● Easier to support new platforms
    ● Makes management of runtime
    independent from the the user of the
    runtime

    View Slide

  19. New: Support for Google Cloud Platform
    github: inspec/inspec-gcp

    View Slide

  20. InSpec helps to shift security concerns to the left
    Compliance
    DevOps

    View Slide

  21. InSpec 3
    :shipit:

    View Slide

  22. Demo:
    Profile & Control Improvements

    View Slide

  23. InSpec’s Extension Mechanism (Current)
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (inspec)
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux Patch
    Baseline
    Profile 1 Profile 2
    Resource Pack
    Profile Inheritance Wrapper Profiles Resource Packs

    View Slide

  24. InSpec’s Extension Mechanism
    Provisioning Verification

    View Slide

  25. InSpec’s Extension Mechanism
    CLI and Platform
    Plugins
    Terraform Provisioner
    Plugin
    terraform plugin github: inspec/terraform-provisioner-inspec
    inspec terraform cli plugin github: inspec/inspec-iggy

    View Slide

  26. ● Digitalocean Resource Pack
    ● Digitialocean Platform Plugin
    Digitalocean Extensions for InSpec

    View Slide

  27. Demo 2
    Extensions & Integrations

    View Slide

  28. InSpec’s Extension Mechanism
    Provisioning Verification

    View Slide

  29. InSpec Wrap-up
    ● Improvements for advanced profile handling, scalability and easier
    profile editing
    ● Improved reporting for aggregated profiles
    ● Extended cloud resources
    ● Google Cloud and Digitalocean resource pack
    ● Improved Terraform InSpec integration

    View Slide

  30. InSpec Outlook
    ● Priorities are based on issues and community feedback
    ● Identified areas for improvement
    ○ Simplified usage of resource packs
    ○ Improved resource lifecycle handling (alpha, stable, deprecated)
    ○ Ensure consistent behaviour for unavailable resources
    ○ Improve profile inheritance with namespaced attributes
    ○ Centralized deprecation behavior across inspec

    View Slide

  31. OpenSource Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    dev-sec.io
    • Chef Cookbooks
    • InSpec Baselines

    View Slide

  32. Chef Automate ships with over 100 CIS Profiles

    View Slide

  33. Q & A

    View Slide

  34. References

    View Slide

  35. Appendix

    View Slide

  36. Plugins
    ● Support for InSpec CLI and Platform plugins
    ○ CLI https://github.com/inspec/inspec-iggy
    ○ Backend https://github.com/inspec/train-digitalocean
    ● Resource Packs for Platforms
    ○ https://github.com/chris-rock/inspec-digitalocean
    ● See https://github.com/inspec/inspec/issues/3089 for more
    details

    View Slide

  37. Unified attributes (1/2)
    Instead of re-defining InSpec attributes in each test file:
    --> control1.rb
    user = attribute('user', default: 'alice', description:
    '...')
    ...
    --> control2.rb
    user = attribute('user', default: 'alice', description:
    '...')

    View Slide

  38. Unified attributes (2/2)
    Attributes are defined in the inspec.yml:
    attributes:
    - name: user
    default: alice
    required: true
    See https://github.com/inspec/inspec/issues/3176

    View Slide

  39. Skip overhaul
    ● "Skip" is currently used to identify cases where a control cannot run:
    ○ The user doesn't want it to run when inheriting the profile
    Example: Use your colleague's AWS profile but skip all controls that test S3.
    ○ The control isn't run when certain conditions are met.
    For example don't test MySQL if it isn't installed.
    ○ A control is skipped if it uses resources that are not supported on the target system. For
    example looking for a "package" when testing an API.
    ● See https://github.com/inspec/inspec/issues/3158 for more details

    View Slide

  40. Severity
    Prior to InSpec 3, severity was a numerical value
    that is implicitly scaled as:
    0.0 Informational
    <0.4 Minor controls
    <0.7 Major controls
    <=1.0 Critical controls
    We can now be more descriptive and use the
    CVSS values: low, medium, high, critical
    See
    https://github.com/inspec/inspec/issues/562
    control 'one' do
    impact 1.0
    control 'one' do
    impact 'critical'

    View Slide

  41. Multiple description types (1/2)
    We often see descriptions like the following in our controls:
    desc '
    This is a very long description.
    Rational: Why we do this…
    Fixtext: How to fix it…
    '
    This doesn’t expose the context of the description, e.g. the “rational” or
    “fixtext”.

    View Slide

  42. Multiple description types (2/2)
    By using an identifier for the descriptions, users can provide more context:
    desc '
    This is a very long description.
    '
    desc 'rational': 'Why we do this...'
    desc 'fixtext' : 'How to fix it...'
    See https://github.com/inspec/inspec/issues/1695

    View Slide